NAV A L F> O S T G Ft ADUATE SCHOOL 
Montei-ey, California 




THESIS 




SOFTWARE AND THE VIRUS THREAT: 
PROVIDING AUTHENTICITY IN DISTRIBUTION 


by 




LT George M. LaVenture, 


, USN 


March 1991 




Thesis Advisor: Dr. Norman 


F. Schneidewind 



Approved for public release; distribution is unlimited. 



T25*6^ 



SECURITY CLASSIFICATION OF THIS PAGE 



REPORT DOCUMENTATION PAGE 



la. REPORT SECURITY CLASSIFICATION 
Unclassified 


lb RESTRICTIVE MARKINGS 


2a. SECURITY CLASSIFICATION AUTHORITY 


3 DISTRIBUTION/AVAILABILITY OF REPORT 
Approved for public release; distribution is unlimited. 


2b DECLASSIFICATION/DOWNGRADING SCHEDULE 


4 PERFORMING ORGANIZATION REPORT NUMBER(S) 


5 MONITORING ORGANIZATION REPORT NUMBER(S) 


6a NAME OF PERFORMING ORGANIZATION 
Naval Postgraduate School 


6b OFFICE SYMBOL 
(If applicable) 

55 


7a NAME OF MONITORING ORGANIZATION 
Naval Postgraduate School 


6c. ADDRESS (Gty, State, and ZIP Code) 
Monterey, CA 93943-5000 


7b ADDRESS (C/ty, State, and ZIP Code) 
Monterey, CA 93943 5000 


8a NAME OF FUNDING/SPONSORING 
ORGANIZATION 


8b OFFICE SYMBOL 
(If applicable) 


9 PROCUREMENT INSTRUMENT IDENTIFICATION NUMBER 


8c ADDRESS(Gty, State, and Z/P Code) 


10 SOURCE OF FUNDING NUMBERS 


Program Element No 


Project No 


Tas* No 


Woe* Unit Accession 
Number 



1 1 . TITLE (Include Security Classification) 

SOFTWARE AND THE VIRUS THREAT: PROVIDING AUTHENTICITY IN DISTRIBUTION 



12. PERSONAL AUTHOR(S) 

LAVENTURE , GEORGE M. 



13a TYPE OF REPORT 


13b TIME COVERED 


14 DATE OF REPORT (year, month, day) 


15 PAGE COUNT 


Master's Thesis 


From To 


March 1991 


82 



16 SUPPLEMENTARY NOTATION 



The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U S. 
Government. 



17 COSATI CODES 


18 SUBJECT TERMS (continue on reverse if necessary and identify by block number) 


FIELD 


GROUP 


SUBGROUP 


Computer Viruses, Virus Prevention, 








Computer Security, Digital Signatures 



1 9. ABSTRACT (continue on reverse if necessary and identify by block number) 



Computer viruses have threatened the integrity and reliability of computer systems 
since 1983. Literally hundreds of viruses exist for the IBM compatible computer alone. These 
viruses can cause corruption or loss of program and data files, incidental damage to 
hardware, and degradation or loss of system performance. 

This paper examines the nature of the virus threat by discussing virus types, methods 
and rates of propagation, relative frequencies of occurrence, and genealogy. 

Possible methods for virus detection and identification, followed by disinfection, 
are outlined. Minimum capabilities and testing criteria for these products are also detailed. 

Methods for controlling and limiting infection and damage are discussed. These are 
considered minimum acceptable safeguards to be implemented by an organization. 

Lastly, software authentication means are examined, which, when used in conjunction 
with the minimum safeguards, would eliminate the possibility of viral infection. 



20. DlSTE^UTION/AVAILABILITY OF ABSTRACT 

^ UNCLASSIFIEO/UNtIMITED Q SAME AS REPORT Q OTIC USERS 


21 . ABSTRACT SECURITY CLASSIFICATION 
Unclassif ted 


22a. NAME OF.RESPONSIBLE INDIVIDUAL ^ 
Dr. Norman F. Schneiaewind 


22b TELEPHONE (Include Area code) 
(408) 646-2719 


22c OFFICE SYMBOL 
AS-SS 



00 FORM 1473, 84 MAR 83 APR edition may be used until ei. ha ua ted SECURITY CLA SSIFICATION OF t hi$ PAGE 

All other edition* are obsolete 



1 



Approved for public release; distribution is unlimited. 



Software and the Virus Threat: 
Providing Authenticity In Distribution 

by 



George M. • aVenture 
Lieutenant, United States Navy 
B.S., 1981 Syracuse University 



Submitted in partial fulfillment 
of the requirements for the degree of 



MASTER OF SCIENCE IN COMPUTER SYSTEMS MANAGEMENT 

from the 



NAVAL POSTGRADUATE SCHOOL 
March. 1991 



arcj^l£9] 



ABSTRACT 



Computer viruses have threatened the integrity and reliability of 
computer systems since 1983. Literally hundreds of viruses exist for the 
IBM compatible computer alone. These viruses can cause corruption or loss 
of program and data files, incidental damage to hardware, and degradation 
or loss of system performance. 

This paper examines the nature of the virus threat by discussing 
virus types, methods and rates of propagation, relative frequencies of 
occurrence, and genealogy. 

Possible methods for virus detection and identification, followed by 
disinfection, are outlined. Minimum capabilities and testing criteria for 
these products are also detailed. 

Methods for controlling and limiting infection and damage are 
discussed. These are considered minimum acceptable safeguards to be 
implemented by an organization. 

Lastly, software authentication means are examined, which, when used 
in conjunction with the minimum safeguards, would eliminate the possibility 



iii 



of viral infection. 



//teO 
J 7172 3 

t. / 



TABLE OF CONTENTS 



I. INTRODUCTION 1 

A. BACKGROUND 1 

B. SOFTWARE CATEGORIES 2 

C. MICROCOMPUTER RELIABILITY 3 

II. NATURE OF THE VIRUS THREAT 5 

A. NAME ORIGIN 5 

B. TYPES OF VIRUSES 5 

1. Boot Infectors 6 

2. System Infectors 7 

3. Executable Program Infectors 7 

C. PROPAGATION ESTIMATES 9 

D. RELATIVE FREQUENCY 11 

E. VIRAL GENEALOGY 13 

III. VIRUS IDENTIFICATION AND REMOVAL 15 

A. IDENTIFICATION 15 

1. Infection Preventors 16 

2. Infection Detectors 17 

3. Infection Identifiers 18 

B. REMOVAL 19 

1. Virus Specific Disinfectors 20 



IV 



2. Universal Disinfectors 



20 



IV. VIRUS INFECTION PREVENTION METHODS 24 

A. USER TRAINING 24 

1. Basic Precautions 24 

2. Virus Recognition 25 

B. HARDWARE MEASURES 26 

1. Write Protect Tabs 26 

2. Tamper-proof Shrinkwrap 27 

3. CD ROM 27 

C. SOFTWARE MEASURES 28 

1. Virus Scanners 28 

2. Authentication Methods 28 

V. AUTHENTICATION METHODS 31 

A. CHECKSUMS 32 

B. CYCLIC REDUNDANCY CODES 32 

C. ENCRYPTION 34 

1. Cryptographic Systems 36 

2. Reasons for Cryptography 37 

a. Secrecy 37 

b. Authenticity 37 

3. Types of Cryptosystems 38 

a. Symmetric Cryptosystems 38 

b. Asymmetric Cryptosystems 38 

D. MESSAGE AUTHENTICATION CODES 39 



v 



1. Public Key Cryptosystems 39 

a. Providing Secreov 40 

b. Providing Authentication 40 

c. Secrecy with Authentication 40 

2. Message Digests 41 

a. Hash Functions 41 

b. The RSA Signature Scheme 42 

E. HYBRID SYSTEMS 43 

VI. PRACTICAL SOFTWARE AUTHENTICATION 45 

A. MD4 45 

B. SIGN AND CHECK 46 

C. VIRUS-SAFE . . . . 46 

VII. CONCLUSIONS AND RECOMMENDATIONS 48 

A. CONFIDENCE BUILDING 48 

1. User Training 49 

2. Virus Detection and Removal 49 

B. ASSURANCE BUILDING 50 

1. Software Authentication 50 

C. THE BOTTOM LINE 52 

VIII. APPENDICES 54 

A. EXAMPLES OF DOS VIRAL INFECTION IN THE US 54 

B. CHRONOLOGY OF A VIRUS AS TOLD BY IT’S AUTHOR .... 55 

C. KNOWN VIRUS INFECTION AND DAMAGE CHARACTERISTICS . 56 



vi 



D. ANTI-VIRAL PRODUCT MINIMUM CAPABILITIES LIST .... 60 

1. Infection Prevention Products 60 

2. Infection Detection Products 60 

3. Infection Identification Products 61 

E. ANTI-VIRAL PRODUCT EVALUATION PROCEDURES 62 

1. Infection Prevention Products 62 

2. Infection Detection Products 63 

3. Infection Identification Products 63 

F. ANTI-VIRAL SOFTWARE 65 

1. Infection Prevention Systems 65 

2 . Infection Detection Systems 65 

3. Infection Identification Systems 65 

G. MD4 LISTING 66 

IX. LIST OF REFERENCES 71 

INITIAL DISTRIBUTION LIST 73 



vii 



ACKN WLEDGEMENT 



I would like to give special thanks to the following individuals who 
spent their time discussing the subject with me. 



Thanks to Mr. Kenneth Van Wyk, moderator of the VIRUS DISCUSSION 
LIST, for sending me his excellent product. 

Very special thanks to my advisor, Dr. Norman F. Schneidewind, at the 
Naval Postgraduate School, Monterey, CA, and my second reader, Mr. John 
Mildner, at the Naval Electronic Systems Security Engineering Center, 
Washington, DC, for their patience and efforts to help me complete this 
research project. 

This research was supported, in part, by the Naval Electronic Systems 
Security Engineering Center, Washington, DC. 



Mr. Mike McLaughlin 
Ms. Judith Froscher 
Mr. Bruce Calkins 



Navy Information Resources Management 

Naval Research Laboratory 

National Computer Security Center 

National Computer Security Center 

National Institute of Science and Technology 

National Institute of Science and Technology 



Mr. Bruce Coster 



Dr. Dennis Branstad 
Mr. John Wick 



Vlll 



I. 



INTRODUCTION 



A. BACKGROUND 

Since the first infectious and destructive computer virus was created 
in November 1983^, and the first microcomputer virus in January 1986", the 
computer security field has never been the same/ Computer viruses have 
received wide reporting in both trade journals and the general press. Viral 
code written in Asia could be "exported", via modem or mail, around the 
world/ Systems could be infected quicker than warnings could be received 
and precautions taken.* * The recent, and much publicized, UNIX Worm and 
AIDS Trojan incidents are but two examples of the damage malicious code 
can do. 



While conducting Doctoral Thesis research at the University of 
Southern California in 1983 and 1984, Fred Cohen developed the first 
computer virus and conducted propagation experiments on a VAX computer 
with a UNIX operating system. 

2 

The virus, later named Pakistani Brain, originated in Lahore, 
Pakistan. It was developed by two brothers purportedly as a copy 
protection scheme for software they sold in their store. The original 
version of this virus has their names and telephone number programmed 
in the code. 

^ For comparison, the IBM PC was announced in 1980 and went on sale 
October 1981. 

* The Pakistani Brain spread rapidly to North American via Europe. 
In less than twelve months it had infected nearly a half-million computers 
in hundreds of universities, corporations and government agencies. 

* Cohen conducted five trial runs in which his virus never took more 
than an hour to infect the VAX system. The shortest time to full infection 
was five minutes, the average half an hour. His work was so successful 
that university officials refused to allow further experiments. 



1 



The Department of the Navy (DON), in its drive toward technological 
sophistication, is becoming increasingly computer dependant. Ships are 
receiving administrative microcomputers and ’’smart” weapons systems while 
shore establishments have their management information systems 
interconnected by wide and local area networks (WANS and LANS). This 
dependency and interconnection increases the potential of viral infection 
and the threat of data compromise and degradation or loss of system 
performance. Regardless of the source, a campus pranks" ^r or a foreign 
power, protecting our systems from viruses will be esse itial to ensure 
their reliability. 

B. SOFTWARE CATEGORIES 

Software used by DOD can be broadly categorized as either mission 
critical or mission support. Mission critical software directly impacts on 
DOD’s ability to defend the United States from attack. Such software would 
include missile guidance systems and military forces command and control 
programs. Mission support software, ^11 other DOD software not dir ctly 
effecting the defense of the United States, would include payroll packages, 
personnel databases, and office automation. 

Development of mission critical software often requires access to 
classified hardware design and performance specifications. Depending upon 
classification, special storage and development facilities, access p ocedures, 
and testing criteria may be employed. Additionally, the fielding of hardware 
and software systems would most probably be performed through a secure 
distribution channel. 



2 



Mission support software development will, in general, require access 
to unclassified, or at most, unclassified but sensitive data*. Many of the 
restrictions for classified projects may not apply. Distribution of hardware 
and software will be through the Central Design Agent (CDA), the standard 
supply system or via open purchase. Unfortunately, this increases the 
vulnerability of our systems since the relative percentage of word 
processors procured by the Navy exceeds the number of missile guidance 
programs. 

Due to the comparatively open nature of development, the relative 
percentages of procurement, and the underlying simplicity of the custody 
chain, I chose to examine viral protection of mission support software. 

C. MICROCOMPUTER RELIABILITY 

The IBM compatible microcomputer’s popularity, widespread availability, 
and general lack of security has made it the target of most viral attacks 
in the last five years. The threat has become so wide-spread that Allstate 
Insurance Company now offers virus insurance. Its home and business 
insurance policies have been extended to cover viral damage to 
microcomputers. (Skulason, 1990, #3-35) These are the same systems which 
have been used aggressively for office automation, command LANs, and 
access to sensitive command and control systems such as the Worldwide 
Military Command and Control System (WWMCCS). 



* The Computer Security Act of 1987, signed into law 8 January 1988, 
created this category of information. It includes privacy act and contract 
sensitive data. 



3 



With this in mind, I will focus on mission support software for IBM 

compatible hardware only. Providing viral safeguards for these systems 

is a first step toward overall computer system protection. The question 

then, is "How do we provide protection from viral attack?". 

I will broadly define a virus as any program which replicates and 

spreads itself secretly. Assuming a given computer is not infected when 

manufactured", the infection must occur during use. This implies the 
3 4 

infection vector is the software which is then added to it by the user. 
We can then narrow our research question to "How do we prevent the 
loading of infected software?". 

Before answering, we must understand the nature of the threat, the 
types of existing viral detection and removal tools, and potential means of 
protecting software. These issues will be addressed in the following 
chapters. 



This is not unrealistic since the vast majority of microcomputers 
dedicated to mission support functions are IBM compatible. Indeed many 
competitively bid procurement contracts have specified this compatibility 
as a requirement. 

* A valid assumption since memory is empty and any disk drives are 
empty or unformatted. 

* "An agent capable of transmitting a pathogen from one organism to 
another either mechanically as carrier or biologically by playing a specific 
role in the life cycle of the pathogen." [Webster's Third New International 
Dictionary] 

* Commercial, shareware, or public domain only, since I assume a 
software developer will not write code to deliberately infect and damage his 
own system. 



4 



II. NATURE OF THE VIRUS THREAT 



A. NAME ORIGIN 

Virus is a normal Latin 2nd declension word meaning ’slime’, ’poison’, 

and ’offensive’. While its first English usage was in 1599, it was not used 

in its present meaning as ’filterable virus’ 1 until 1880. [Oxford English 

Dictionary, Second Edition] The invisible and destructive nature of the 

biological virus led to its adoption as the name for its electronic cousin. 

In fact, many researchers use terms reminiscent of the biological virus: 

vector, infection rate, and vaccine. The plural of ’virus’ as used in 

2 

English, is ’viruses’. 

B. TYPES OF VIRUSES 

Computer viruses can be categorized in three major classes based 
upon their area of system residence and/or infection: 

• boot infectors 

• system infectors 

• executable program infectors 



"An infectious organism, usually submicroscopic, that can multiply 
inside certain living host cells. A non-cellular structure lacking any 
intrinsic metabolism usually comprising a DNA or RNA core inside a protein 
coating." [Oxford English Dictionary, Second Edition] It would pass through 
filters that would stop bacteria. 

^ Of note is the significant disagreement between academicians 
concerning the ’true’ plural of ’virus’. The first quarter of 1990 saw weeks 
of electronic word war via the VIRUS DISCUSSION LIST and other research 
oriented electronic forums concerning this point. For my part, I use 
’viruses’ throughout this work to represent the plural. 



5 



1. Boot Infectors 



1 2 

These viruses reside in a disk’s boot sector. If active in 
memory, a boot virus will infect a new disk by relocating the boot sector 
contents to a previously empty disk sector and marking it as bad in the 
File Allocation Table (FAT). The virus then adds a jump instruction to its 
end and writes a copy of itself to the boot sector/ The jump ensures that, 
after the boot virus is loaded into memory and executed during booting, 
computer control is passed to the original boot code at it’s new location. 

An infect^ disk can infect the system whenever the disk boot 
sector is executed. While memory resident, these viruses can infect any 



DOS disks are organized using a rigid scheme. Each disk in a drive 
is divided into one or more logical volumes. Each logical volume consists 
of four areas: the boot sector containing configuration and bootstrap 
information, an original and backup File Allocation Table (FAT) which holds 
cluster chaining and ownership information, the disk root directory which 
holds information pointing to the first cluster in the FAT chain holding a 
given file’s or subdirectory’s data, and the file area which consists of 
clusters maintaining file data chained by the FAT pointers. 

The boot sector, logical sec* - contains critical infc ation 
regarding the disk medium such as: S iame and version, bytes/sector, 

sectors/cluster, number of reserved sectors, number of FATs, number of 
root directory entries, total sectors in the logical volume, media descriptor 
byte, number of sectors/track, number of disk drive heads, number of 
hidden sectors, and the disk bootstrap to load the operating system from 
disk (the ROM bootstrap is smart enough to home the disk drive head, read 
the boot sector from disk, and jump to it in memory). 

^ The "bad" sector marking in the disk FAT ensures that these 
sectors will not normally be examined or altered by the system. 

* Boot infectors typically mark several "good" disk sectors as "bad". 
These sectors are then used to hold the original boot sector code plus 
whatever virus code would not fit in the boot sector. 

^ A disk’s boot sector is examined whenever drive hardware detects 
a diskette change or upon system reset for logical drive 0 only. 



6 



disk in the system. These viruses are fairly tame since they infect a given 
disk only once and are relatively easy to find. 

2. System Infectors 

These viruses attach themselves to the command interpreter and 
other system files that remain memory resident and reside on bootable hard 
or floppy disks. Except for exclusively targeting system files, these 
viruses behave similarly to executable program infectors which are 
discussed below. 

While the relatively small number of systems programs should 
make these viruses somewhat tame, the fact that systems programs remain 
memory resident and are frequently called allow these viruses to cause a 
high degree of infection in a short span of time. 

3. Executable Program Infectors 

These viruses are particularly troublesome since they can spread 
to any executable program" in the system by either appending or 
overwriting. A virus generally appends itself to either the front or back 

3 

end of an executable file. Front end appenders situate their code so it is 



1 The 8086/8088 family of microprocessors are designed so that, when 
reset or powered up, program execution begins at memory address 
0FFFF0H. This lies within ROM memory and contains a jump instruction to 
the system power up self test (POST) and bootstrap code. The bootstrap 
code loads and executes the system programs MSDOS.SYS and 10. SYS. 
10. SYS ultimately loads and executes the command interpreter 
COMMAND.COM. 

* Any program ending with the suffix COM, EXE, OVL, or BIN is 
considered by the operating system to be executable. 

^ According to John McAfee, Chairman of the Computer Virus Industry 
Association (CVIA) and President of McAfee Associates, a Santa Clara, 
California based anti-viral research and marketing firm: 



7 



e> cuted before the host program. After the virus performs s task, it 
then returns control to the legitimate code. Back end appenders usuallv 
add a JUMP instruction in the front end pointing to the viral code. Aft 
virus execution, another JUMP points back to the original program code. 
Overwriting viruses simply replace a section of the existing code with their 
own instructions. This subgroup is usually detectable earlier in the 
infection process since the host program may no longer function correctly. 
The appenders may slow program performance but will generally escape 
detection until the virus damage sequence is triggered. 

This type virus usually accomplishes its infection by either: 

• copying itself to another executable file whenever an infected program 
is executed and then passing control to the host program 

♦ by remaining memory resident and infecting each program that is 
loaded into memory 

During infection, the original file size, date, and time may be 
changed. However, sophisticated viruses may save and restore the original 
values when writing the modification to disk. Additionally, to avoid early 
detection and maximize infection, the virus may avoid previously infected 



"Viruses can attach to a program’s beginning, end, middle, or any 
combination of the three. They may fragment and scatter virus 
segments throughout the program or keep the main body of the virus 
unattached to the program, hidden in a bad sector. All known viruses, 
however, [modify the program’s beginning to] ensure the virus is 
executed before the host. If this were not so, the uncertain 
environment in which the virus executed would increase the 
possibility of program failure [and early detection]. Viruses which 
replace entire programs, such as boot infectors, and viruses that 
attack only specific programs [such as system infectors], are the only 
exception to the this rule. These viruses may gain control at any 
point, since the structure of the host program is well known and the 
environment can be predicted." (McAfee, 1989) 



8 



files or delay its damage sequence until infection has reached a 
predetermined level. 

C. PROPAGATION ESTIMATES 

Estimates of viral multiplication rates are not easily obtained for many 
reasons: 



• computer hardware may remain constant but software used and 
preventative measures taken may vary greatly from site to site and 
machine to machine 

• many researchers are reluctant to divulge their estimations since they 
are often derived from reports concerning products they are 
supporting 

• this information is still considered ’embarrassing* and ’sensitive* 



Dr. Fridrik Skulason, virus researcher at the University of Iceland, 
Technical Editor of the Virus Bulletin (UK), and consultant to the Naval 
Computer Incident Response Team (NAVCIRT) at the Naval Electronic 
Systems Security Engineering Center (NAVELEXSECCEN) in Washington, DC, 
has, however, recently released estimates for two of the oldest and most 
wide-spread viruses. 1 These appear in Figure 1. 



Total nuaber of PCs 30.000.000 machines 
Nun be r infected with Jerusalen 100.000-500.000 nachines 
Nun her infected with Brain 100.000-500.000 nachines 



Figure 1 - Estimated PCs Infected with Jerusalem and Brain (Skulason, 1990, *3-64) 



1 The Jerusalem and Pakistani Brain viruses are about 51 and 74 
months old, respectively. 



9 



Figure 2 provides the amended estimate if each infection on the same 



machine is counted. 



Number of Jerusalem] infections 2.000.000-10.000.000 infections 

Number of Brain infections 1.000.000- 5.000.000 infections 

Figure 2 - Estimated Jerusalem and Brain Infections (Skulason, 1990, #3-64) 

Of note is the apparent virility of Jerusalem compared with Brain 
even though Brain is a third older. This is primarily due to its targeting 

of executable programs instead of the comparatively rare disk boot 

l 

se^ x>rs. 

Skulason hypothesizes that viral infections increase exponentially over 
time but slow as the virus saturates the system. This can be seen in 
Figure 3. His experience with organizational infections indicates that once 
a virus infects a computer, it will usually spread organization wide in one 
to two months. (Skulason, 1990, #3-64). 



Skulason estimates that 20 infected programs reside on every 
Jerusalem infected machine, and 10 diskettes have been infected by every 
Brain infected computer. 

* According to John Mildner, head of the Naval Computer Incident 
Response Team (NAVCIRT) at the Naval Electronic Systems Security 
Engineering Center (NAVELEXSECCEN) in Washington, DC: "Jerusalem 

probably spreads more rapidily since it uses executible files as the 
infection vector. These files are often transfered electronically via bulletin 
boards or computer networks. On the other hand, the virus most common 
to the Navy, the Stoned boot sector virus, is spread by exchange of data 
files on floppy diskette." (Mildner, 1991) 

^ Organizations in Iceland are not that large - The Bank of Iceland 
is one of the largest and had about 700 PCs as of mid 1990. 



10 



